Data Processing Agreement

Effective date: March 24, 2026  ·  Last updated: March 24, 2026

This Data Processing Agreement ("DPA") is entered into between Pleroma Inc., a corporation incorporated under the laws of British Columbia, Canada ("Processor"), and the Customer identified in the applicable Order Form or Terms of Service ("Controller"). This DPA forms part of and is incorporated into the Terms of Service between the parties.

1. Definitions

Applicable Privacy Law

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), British Columbia's Personal Information Protection Act (PIPA), Quebec's Act respecting the protection of personal information in the private sector (Law 25), and any other applicable Canadian federal or provincial privacy legislation, as amended from time to time.

Personal Information

Any information about an identifiable individual that is processed by Processor on behalf of Controller in connection with the Service, as defined under Applicable Privacy Law.

Processing

Any operation performed on Personal Information, including collection, use, storage, disclosure, transfer, retention, deletion, or destruction.

Sub-Processor

Any third party engaged by Processor to process Personal Information on behalf of Controller.

Security Incident

Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information.

Service

The Pleroma cloud-based yard management platform as defined in the Terms of Service.

2. Roles & Scope

The parties acknowledge that, with respect to Personal Information processed through the Service:

• Controller determines the purposes and means of Processing and bears responsibility for ensuring it has a lawful basis for providing Personal Information to Processor.
• Processor processes Personal Information solely on behalf of Controller, in accordance with Controller's documented instructions and this DPA.

This DPA applies to all Personal Information that Processor processes in the course of providing the Service, including but not limited to End User account data, yard jockey driver profiles, shift records, and operational activity logs.

3. Processor Obligations

Processor agrees to:

• Process Personal Information only on documented instructions from Controller, including as set out in this DPA and the Terms of Service, unless otherwise required by applicable law;
• Ensure that personnel authorized to process Personal Information are subject to appropriate confidentiality obligations;
• Implement and maintain the technical and organizational security measures described in Section 6;
• Not engage Sub-Processors without authorization as set out in Section 5;
• Assist Controller in responding to requests from individuals exercising their rights under Applicable Privacy Law, to the extent that Processor can reasonably do so given the nature of the Processing;
• Assist Controller in meeting its obligations relating to security, Security Incident notification, and privacy impact assessments, taking into account the nature of the Processing and information available to Processor;
• At Controller's election, delete or return all Personal Information upon termination of the Service, and delete existing copies unless retention is required by applicable law;
• Make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, and cooperate with and contribute to audits conducted by Controller or its authorized representative, on reasonable prior written notice and no more than once per year unless a Security Incident has occurred.

4. Controller Obligations

Controller agrees to:

• Ensure it has a valid legal basis under Applicable Privacy Law for all Personal Information provided to Processor;
• Provide accurate and complete instructions to Processor regarding the Processing of Personal Information;
• Comply with its obligations under Applicable Privacy Law as a controller, including providing required notices to and obtaining required consents from individuals whose Personal Information is processed;
• Ensure that the Personal Information provided to Processor is accurate and limited to what is necessary for the purposes of the Service.

5. Sub-Processors

Authorization

Controller provides general authorization for Processor to engage Sub-Processors, subject to the conditions in this Section. Processor's current list of Sub-Processors is available at pleroma.systems/sub-processors and is updated as changes are made.

Notice of changes

Processor will provide Controller with at least 30 days' prior written notice of any intended addition or replacement of a Sub-Processor by updating the Sub-Processor list and notifying Controller by email. If Controller has a reasonable, documented objection to a new Sub-Processor, Controller must notify Processor in writing within 14 days of the notice. The parties will work in good faith to resolve the objection. If the parties cannot resolve the objection, Controller may terminate the affected portion of the Service on written notice, and Processor will refund any prepaid fees for the unused period.

Sub-Processor obligations

Processor will impose data protection obligations on each Sub-Processor equivalent to those set out in this DPA. Processor remains liable to Controller for the performance of Sub-Processors to the extent Processor is liable under this DPA.

Current Sub-Processors

As of the effective date, Processor's key Sub-Processors include:

• Amazon Web Services (AWS): Cloud infrastructure hosting and object storage — Canada and United States regions
• Clerk: User authentication and identity management — United States
• Stripe: Payment processing — United States

6. Security Measures

Processor will implement and maintain technical and organizational measures appropriate to the risk presented by the Processing, including:

Access controls

• Role-based access controls limiting employee access to Personal Information on a need-to-know basis
• Multi-factor authentication for internal systems and administrative access
• Regular review and revocation of access rights upon personnel changes

Data security

• Encryption of Personal Information in transit using TLS 1.2 or higher
• Encryption of Personal Information at rest
• Logical separation of Customer Data between tenants

Operational security

• Regular vulnerability assessments and patch management
• Security monitoring and intrusion detection
• Documented incident response procedures
• Regular employee security awareness training
• Backups with tested restoration procedures

Processor may update these measures over time provided the updated measures do not materially reduce the overall level of protection.

7. Security Incidents

Upon becoming aware of a confirmed Security Incident involving Personal Information processed under this DPA, Processor will:

• Notify Controller without undue delay, and in any event within 72 hours of becoming aware of the Security Incident, to the extent required by Applicable Privacy Law;
• Provide Controller with sufficient information to allow Controller to meet any notification obligations it may have under Applicable Privacy Law, including: a description of the nature of the incident, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the incident;
• Take reasonable steps to contain, investigate, and remediate the Security Incident;
• Cooperate with Controller's reasonable requests for information relating to the Security Incident.

Notification by Processor does not constitute an acknowledgment of fault or liability. Processor's obligation to notify is not contingent on a complete investigation of the Security Incident.

8. Cross-Border Transfers

Personal Information may be transferred to and processed in jurisdictions outside Canada, including the United States, where Processor's Sub-Processors operate. Processor will ensure that such transfers are made subject to appropriate safeguards as required by Applicable Privacy Law, including:

• Contractual protections with Sub-Processors requiring equivalent data protection standards;
• Where required by Quebec Law 25, conducting a privacy impact assessment (PIA) prior to communicating Personal Information outside Quebec, and ensuring the receiving jurisdiction offers an adequate level of protection.

9. Individual Rights Requests

If Processor receives a request directly from an individual exercising their rights under Applicable Privacy Law in relation to Personal Information processed under this DPA, Processor will promptly forward the request to Controller and will not respond to the individual directly except as instructed by Controller or required by law.

Processor will provide Controller with reasonable cooperation and assistance to facilitate Controller's response to such requests, including by providing access to relevant Personal Information in Processor's systems where technically feasible.

10. Privacy Impact Assessments

Where required by Applicable Privacy Law, Processor will provide reasonable cooperation and information to assist Controller in conducting privacy impact assessments related to the Processing carried out under this DPA.

11. Retention & Deletion

Processor will retain Personal Information only for as long as necessary to provide the Service or as required by applicable law. Upon expiry or termination of the Terms of Service:

• Controller may export its Personal Information via the Service for a period of 30 days following termination;
• Processor will delete or anonymize all Personal Information within 90 days of the end of the export period, except where retention is required by applicable law;
• Upon request, Processor will provide written confirmation of deletion.

12. Confidentiality

Processor will ensure that all personnel with access to Personal Information are bound by appropriate confidentiality obligations, whether by contract or professional duty, and receive training on applicable data protection requirements.

13. Liability & Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA reduces or limits either party's obligations under Applicable Privacy Law.

If Controller suffers loss as a result of Processor's breach of this DPA, Processor's liability will be determined in accordance with the Terms of Service. If a regulator or court determines that both parties bear responsibility for a Security Incident or privacy breach, liability will be apportioned between the parties according to their respective degree of responsibility.

14. Term

This DPA is effective as of the date the Terms of Service take effect and will remain in force for as long as Processor processes Personal Information on behalf of Controller. Termination of the Terms of Service will automatically terminate this DPA, subject to the survival of obligations relating to the return and deletion of Personal Information, confidentiality, and any ongoing regulatory requirements.

15. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service with respect to the Processing of Personal Information, this DPA will prevail. In the event of a conflict between this DPA and Applicable Privacy Law, Applicable Privacy Law will prevail.

16. Governing Law

This DPA is governed by the laws of British Columbia and the federal laws of Canada applicable therein. The parties submit to the exclusive jurisdiction of the courts of Vancouver, British Columbia for any dispute arising out of this DPA.

17. Contact

Questions or notices relating to this DPA should be directed to Pleroma's Privacy Officer: